This blog is totally independent and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.

Monday, November 16, 2015

Weekly Australian Health IT Links – 16th November, 2015.

Here are a few I have come across the last week or so.

Note: Each link is followed by a title and a few paragraphs. For the full article click on the link above title of the article. Note also that full access to some links may require site registration or subscription payment.

General Comment

What an amazing week with an incompetent Parliament passing laws to extend the PCEHR! Other stuff also included.

What a disaster for e-Health in Australia as the mindless ill-conceived juggernaut just rolls on!

The Senate Community Affairs Legislation Committee has recommended that the Health Legislation Amendment (eHealth) Bill be passed, with proposed increased penalties for misuse of My Health Record information. The Bill proposes, among other things, to change the name of the PCEHR system to the My Health Record system and enable trials of opt-out participation.

The Senate Community Affairs Legislation Committee tabled its report on the Health Legislation Amendment (eHealth) Bill this week. The report noted the AMA argued against the introduction of increased civil penalties and new criminal penalties in relation to unauthorised use or disclosure of My Health Record information. However, the committee considered that these penalties are justified as deterrent measures to protect the privacy of system participants.

Bill officially passes parliament.

The Australian government has been given the go-ahead to create a digital health record for every Australian by default pending the success of trials of the model, after the bill for opt-out records passed the parliament today.

The change in approach was a response to slow take-up of the former Labor government's PCEHR scheme, which allowed individuals to opt-in to the digital health record.

The Health Legislation Amendment (eHealth) Bill 2015 today passed the Senate with no amendments, allowing the government to trial opt-out e-health records in two locations in Queensland and NSW, covering around one million individuals.

The medical records of all Australians are set to go online after legislation to revamp the e-health system and get more people using it cleared Parliament.

The new My Health Record system is to be trialled first in north Queensland and the NSW Blue Mountains region, and will be rolled out nationally if it proves a success.

Australians will need to opt-out of the system if they don't want an e-health record, as opposed to the current model, which started out as the Personally Controlled E-health Record System, which required patients to opt-in.

The Australian Privacy Foundation has accused the Senate of being "dangerously naive" in thinking that opt-out e-health records could be secured against breaches of privacy.

Bernard Robertson-Dunn, a member of the Privacy Foundation who has also constructed IT systems for several government departments, said it is "patently absurd" for the Senate inquiry committee to think that Australian laws will do anything to deter criminals and cyber attacks from overseas.

The Senate had said it would institute penalties for privacy breaches in order to address concerns over the misuse of confidential medical information.

The Senate had ignored expert advice by changing the e-health records to be opt-out, according to the Privacy Foundation, with the likelihood of personal information being stolen and published in an attack similar to the Ashley Madison hack increasing with the more data that is stored.

Privacy foundation slams 'dangerously naive' Senators

Australia's peak privacy body has lambasted the country's Senate for being ignorant about the implications of the country's new e-health records.

What was once called the Personally Controlled Electronic Health Record (PCEHR), re-branded My Health Record this year to give it a smiley face, is the government's attempt to dragoon Australians into a national health database.

Looking behind the mask, however, the Australian Privacy Foundation reckons the e-health system looks more like it was designed for spooks and revenue-collectors than for doctors or patients.

Coming in for special criticism is the Senate committee recommendation (full report here) that My Health Record be changed from an opt-in system to an opt-out system. That decision seems designed to boost the chronically low take-up of a system that this year got a budget allocation of more than AU$450 million (its 15-year estimated cost from 2010 to 2025 is $3.6 billion).

Online CBT programs have no benefit in depression because patients fail to engage with them, a major evaluation by GPs has found.

UK researchers have recommended against routine use of online CBT after their randomised controlled trial in 100 primary care practices found that programs such as the widely recommended MoodGYM conferred no benefit compared with usual GP care.

Almost one quarter of patients dropped out within four months of being offered the Australian-developed free program, or a commercial program called 'Beat the Blues', showed the research by the Department of Health Sciences at the University of York.

In addition, only about one in six of the 378 participants completed all the assigned computerised CBT sessions.

Problems with information technology (IT) in general practice are creating risks for patient care, a study led by researchers at Macquarie University, Flinders University and the University of New South Wales has found. The TechWatch study, published in BMJ Quality and Safety, examined the effects of IT errors on patient safety in general practice

The researchers asked 87 General Practitioners (GPs) across Australia to report any IT incidents over a 19 month period between 2012-2013 that could lead to patient harm or near miss events, finding that IT issues were at fault for 90 reported incidents during this period. While some of the patient safety risks were carried over from historical paper records system, there were an array of additional disruptions in workflow and hazards for patients unique to IT.

“Our results show that IT problems can disrupt care delivery and pose risks to patient safety,” said Associate Professor Farah Magrabi from the Australian Institute of Health Innovation and the NHMRC Centre for Research Excellence in E-Health at Macquarie University.

Practice software problems are wasting doctors’ time and have the potential to lead to dangerous prescribing errors, research shows.

On average GPs spend two hours a week troubleshooting software issues such as frozen screens, problems with software updates, and disappearing or mismatching patient data, according to a study of 87 GPs across Australia.

If replicated nationwide, this suggests that Australia's 22,600 GPs spend a total of two million hours per year fixing IT problems.

The study found that software issues also put patients at risk, with GPs in the study reporting 90 incidents that either caused patient harm or led to a near miss event over a 19-month period.

SEVEN GP practices assessed for eHealth PCEHR privacy safeguard compliance all failed to fulfil the requirements — sometimes for simply not activating the screensaver lock when a computer was left unattended.

That assessment is one of five audits the Office of the Australian Information Commissioner (OAIC) has undertaken, according to its 2014–15 report.

The report refers to the audits and says no complaints of breaches were made to the independent PCEHR overseer, but that “a number of recommendations” had been accepted by the health department.

One of these assessments, not contained in the annual report, scrutinised eHealth security in the seven clinics — all active eHealth system users and Health Provider Organisation (HPO) members — between December 2014 and April 2015.

You leave a data trail every time you tap your card to make a payment, dial a phone number or use the internet. But would you be willing to let that data tracking into the bedroom, the gym and the doctor’s surgery?

National Australia Bank’s insurance arm is about to test that proposition by handing out smartwatches that collect data on resting heart rate, sleep patterns and exercise to some of their life ­insurance customers, in what is believed to be a first for wearable technology in Australia. In exchange for agreeing to sign over information collected by the watch and then meeting good health goals, MLC is offering discounts on life insurance policies of up to 10 per cent.

It is being pitched as an initiative to try to get customers into healthy habits that will reduce their need to claim.

“It’s a bet that if they can achieve healthy habits for three, six, nine, 12 months then habits are habits and it’s hard to get out of habits,” the general manager of ­insurance for NAB and MLC, David Hackett, said.

Author Julian Elliott

Head of Clinical Research in the Department of Infectious Diseases, Alfred Hospital and Monash University and Senior Research Fellow at the Australasian Cochrane Centre, Cochrane Collaboration

“What if we, as government, got out of the way and gave consumers full access to their own personalised health data and full control over how they choose to use it?” Health Minister Sussan Ley asked in her recent speech to the National Press Club.

Ley sketched out a new health landscape populated by consumers who shared their personal e-health records with app developers, dietitians and retailers in return for products and services tailored to their particular health needs.

“The great digital health revolution,” the minister concluded, “lies literally in the palms of consumers, rather than government.”

On one level this rings true. There have never been more ways to monitor our personal health and well-being, and share and compare our findings. We can track our activity, diet, exercise, emotions and sleeping habits on our mobiles, Fitbits, Apple watches and apps. We can even have our genomes sequenced.

Technology Reporter

If you were able to help find a cure for cancer without lifting a finger, it would be a no-brainer, right?

Well now you can, thanks to a new Android app created by the Garvan Institute of Medical Research, and Vodafone Foundation Australia, which funds health and well-being projects that use mobile technology.

Two years in the making and with the help of Melbourne app developer b2cloud, DreamLab harnesses unused capacity in your smartphone while you're sleeping to crunch medical data for cancer research.

The researchers are hoping to get 100,000 users signed up in the first year, which would allow them to process data around 3000 times faster than they currently are, and complete their first phase of research into four cancers: breast, ovarian, prostate and pancreatic.

Verification services expanded across the Tasman.

Australia and New Zealand have inked an agreement that will allow organisations to electronically verify proof of ID documents issued by either federal government as well as Australian states and territories.

Australia’s document verification service (DVS) has been in use since 2007, and gives authorised government and non-government organisations the ability to check the authenticity of documents they have received against the government’s own records.

AN Australian-designed, web-based cognitive behaviour therapy (CBT) program has reduced suicidal ideation among US medical interns by 60%, highlighting its potential as an efficacious public health measure in a country where one physician dies by suicide every day, according to the authors of research published in JAMA Psychiatry. The 199 interns from multiple specialties were randomised to the web-based therapy group — MoodGYM, developed at the Australian National University’s National Institute for Mental Health Research — or an attention-control group, who received emails with general information about depression, suicidal thinking and local mental health professionals. MoodGYM is a free, online interactive CBT- and interpersonal-based therapy program for young people experiencing mild to moderate levels of depression or anxiety. All interns in the study also completed study activities lasting 30 minutes each week for 4 weeks before starting the internship year. Suicidal ideation was assessed 3 months before students started their intern year and then at 3, 6, 9 and 12 months of their intern year. Over the year, 12% of interns in the MoodGYM therapy reported suicidal ideation during at least one follow-up assessment, compared with 21.2% of students in the control group. The researchers wrote that the findings were important, given that suicidal ideation increased 370% over the first 3 months of the internship year. “With approximately 24 000 medical trainees beginning internship each year, dissemination of a pragmatic, no-cost, feasible, and efficacious prevention program could have substantial public health benefits”, they wrote. Further research using a larger sample would be required to determine whether MoodGYM had any impact on suicide rates, they wrote. An accompanying editorial suggested MoodGYM “inoculated” interns at a critical time in their lives, by providing knowledge and skills that would “enable them to be resilient to the stresses of internship, depression, and suicidal ideation”.

The National E-Health Transition Authority was established in 2005 by the Council of Australian Governments (COAG) to identify and jointly develop the necessary foundations and services – the building blocks – for a national eHealth infrastructure: 'NEHTA's WORK 2005-15' PDF (424.56 kB)

NEHTA is continuing to work with stakeholders on the widespread adoption and use of eHealth across the healthcare community until the Australian Commission for eHealth commences operations in July 2016.

Putting the eHealth record system into business is a useful resource for Responsible Officers (ROs) and Organisation Maintenance Officers (OMOs) and their responsibilities in managing their organisations for the Healthcare Identifiers (HI) Service, NASH PKI Certificate for Organisations and the eHealth record system.

A digitally integrated identity card with comprehensive security could simplify many transactions with government and business. Shutterstock

Author Matthew Sorell

Senior Lecturer, School of Electrical and Electronic Engineering, University of Adelaide

Australian e-government is a long way behind many other developed nations. Our national leadership has utterly failed to comprehend why e-government should have been a national priority decades ago, and continues to offer little in the way of policy direction.

Hence, our current solutions are a bizarre mish-mash of inconsistent approaches, making it confusing and frustrating for Australians. Every mis-step sets back public trust in online government services. Usability, reliability and security are the keys.

The Australian Tax Office (ATO), for example, provides online data entry, but inadequate explanatory guidance. Searching the ATO website is risky because it also contains obsolete material from previous years.

The ATO communicates by print-formatted electronic documents to a separate MyGov email inbox, making reference to non-existent additional information, yet two-way communication is not possible through this service.

If the Digital Transformation Office is appropriately funded, empowered and motivated, then a top-down review of government services may be able to address the usability and reliability issues over time. Of much greater concern and urgency is the challenge of digital identity.

A relatively cheap software upgrade featuring all the functions of the $422 million Enterprise Patient Administration System - and more - was purchased by SA Health but never implemented, InDaily can reveal.

The beleaguered EPAS, billed as a statewide solution to slow, paper-based and outdated e-health records systems, has been plagued by doctors’ complaints that it slows down care and risks patients’ safety.

Despite the complaints, however, SA Health has persisted with implementing the system.

But InDaily can now reveal the department purchased a software upgrade to another system – OACIS – in 2009, which boasts all of the health record functions of EPAS.

SA Health would not reveal the cost of the upgrade, but InDaily understands it is significantly cheaper than the $422 million spent on EPAS.

And unlike EPAS, an older version of OACIS is already installed on SA Health computer systems in hospitals across the state.

Department stays silent about offloading services.

The Department of Health is staying silent on its proposed sale of Medicare payments to the private sector, despite sailing past the date it originally scheduled to have contracts signed without any movement.

In August 2014, the department issued a request for expressions of interest from organisations to take over the processing and payment of $19 billion in medical benefits claims, $10 billion in pharmaceutical claims and nearly $2.5 million worth of veterans affairs claims every year.

Facing a mammoth IT upgrade bill to replace the ageing system that calculates the Medicare and DVA entitlements, the government instead opted to test the market and see whether any private sector companies already equipped to deliver similar functions - like private health insurers, general insurers or banks - would be interested in taking over the work.

Users are told to make the payment by a specific deadline or risk having the private key to unlock the files deleted.

The active CryptoWall ransomware spawned from CryptoLocker, which is thought to have extorted more than $3 million from victims before the botnet used to distribute it - Gameover Zeus - was taken down last year.

7 comments:

"The Senate Community Affairs Legislation Committee has recommended that the Health Legislation Amendment (eHealth) Bill be passed, with proposed increased penalties for misuse of My Health Record information."

Access controls are at the institution level. Which means that when a patient visits a medical practice and the receptionist happens to access the My Health Record, there will only be a record that the medical practice has accessed the system.

If the information is misused, will anyone know who has really accessed the system? I guess it depends on the software the medical practice has and if it does any logging. If the medical practice is risk averse and the penalties are high, that is a disincentive for them to use the system.

But the really stupid part is that the medical practice can download all the patient's data into their local system. The eHealth legislation doesn't cover that, only generic Privacy legislation.

It also means all the promises about patients knowing who has looked at their health data are wrong on two counts:

1. Only the institution's use is logged.2. Once it's in the institution's system, there is no patient accessible logging.

Listening to only to NEHTA and the Department about this system is like a judge asking a suspect if they have committed the crime, rather the listening to the police who see things a little differently from an accused.

From memory, one of the requirements/tests for software to access the pcehr is to have permissions for accessing it. Also, from memory, any request to the pcehr, needs to pass either the hpi-i or software userid of the user.

You can also have a password on your record, to stop people accessing it, except in emergency flagged situations.

re: "From memory, one of the requirements/tests for software to access the pcehr is to have permissions for accessing it. Also, from memory, any request to the pcehr, needs to pass either the hpi-i or software userid of the user."

The High-Level System Architecture, Version 1.35 — 11 November 2011, says:

"The PCEHR System only allows provider access to be controlled at the organisationlevel, therefore the identity credential submitted to the PCEHR System must be thatof the organisation that the healthcare provider represents."

Mind you the document also says:

"This document is based on the April 2011 release of the Draft Concept of Operations (ConOps). It will be updated in future to reflect the latest version of the ConOps and to reflect changes to the PCEHR design developed by the National Infrastructure Partner".

It is the only architecture document on the NEHTA/Health website, so I have to believe that it is current and correct.

And the only password I know of is for the portal, not for health professionals accessing your record.

The record owner can set a password to stop health professionals/etc accessing the record without the record owner giving them the password (this can be overridden by the health professional selecting an emergency, which the record owner can optionally get notified about).

So the PCEHR architecture is only available through memory, just who is the principle architect providing leadership over the PCEHR in NEHTA? or has that discipline been lost from memory? Trust has left the building.

"The record owner can set a password to stop health professionals/etc accessing the record..."

This is the government's big lie. You cannot control which health professionals can access the record, only the institution. If you want to limit access at the professional level you have to talk with your healthcare provider and then trust that they implement appropriate controls. You cannot control it and you are not informed who has accessed your record.

Even if you want to see which healthcare provider has accessed your record it may not be obvious from the audit logs "If you do not recognise the name.. it could be ...because the organisation’s access is centrally managed by a parent Healthcare Provider Organisation". Really user-friendly. Not.

See this page on the government's ehealth website.http://www.ehealth.gov.au/internet/ehealth/publishing.nsf/Content/faqs-individuals-privacy

"Who can see the information in my eHealth record?

Access to your eHealth record by a Healthcare Provider Organisation is controlled by your Access List. You can set access controls for different document types, classifying documents as either general documents or restricted documents.

If you feel it is necessary, you can choose or limit which Healthcare Provider Organisations can see and add to the information on your eHealth record. Who can access your eHealth record is determined by Access Flags set by you and your healthcare provider. You should discuss with your healthcare provider which other health professionals in their local service that they share client records with, and whether you wish to limit access to your record. Note, however, it is important that healthcare providers treating you have access to the vital information that they need when they offer you care.

If you do not recognise the name of the Healthcare Provider Organisation on your Access List, this could be because the organisation’s access is centrally managed by a parent Healthcare Provider Organisation. You should ask your provider for the parent organisation’s name."

"So the PCEHR architecture is only available through memory, just who is the principle architect providing leadership over the PCEHR in NEHTA?"

IMHO, the PCEHR was never archtitected, only designed. None of the documents I have been able to find (and that includes asking Paul Madden) are what I would recognise as an architecture.

BTW, there is only one thing wrong with the design of the PCEHR:

It's a central database of incomplete, undifferentiated health data with poor access controls and is accessible via the internet.

Apart from that it's OK.

There are alternative architectures and designs that would deliver far more useful aids to health decision making, be more secure and address privacy issues, with little or no government involvement.

IMHO, that's what the government is frightened of - not having all that lovely health data that can be mined and used for surveillance. Of course I have no evidence that they are actively doing these things (there's hardly any data in the system) but the potential is there.

And it's probably not patient data they are most interested in - it's service provider data. They are the ones who are primarily responsible for spending the nation's health funds.

Just to repeat - this is all speculation. I'd be more than happy to be told (with evidence) that I'm completely wrong.